Stop Blaming People

The Security-Business Divide Is a Systems Problem

Yet another meeting where the divide between security and the business takes over the conversation – well, more like argument than conversation. This interminable finger pointing is becoming more than tiring.

The divide between cybersecurity professionals and business leaders isn’t really about personalities, communication styles, or workplace culture. It’s a problem of coordination. Security staff and business leaders work from different information bases. They carry different responsibilities, face different constraints, and pursue different goals. The tensions this creates come from how organisations are structured, not from personal failings.

This matters because it changes where we look for solutions. If we think security professionals are entitled or business leaders are deliberately ignorant, we’ll try to replace people. If we recognise this as a problem of how work is organised, we’ll redesign the systems instead.

Better organisation produces real results. Companies where security and executive teams share the same understanding have fewer security incidents. Those that build security into their business processes from the start get better outcomes. Having a shared way of talking about risk lets us make better decisions. The question isn’t whether better alignment helps, but how to achieve it.

As has been explored in previous blogs, both security professionals and business leaders need to change. Security teams must learn to explain risks in business terms, and demonstrate value. Business leaders must understand enough about cybersecurity to make informed decisions, give security professionals the authority to match their responsibilities, and build security into strategic planning. Neither side can fix this alone – they need to work together.

The cybersecurity challenges facing organisations today are serious and getting worse. Solving them needs the best thinking from both security experts and business leaders, working as genuine partners rather than being constantly at odds. This won’t happen by itself. It needs deliberate planning, sustained effort to understand each other better, and leadership willing to make real structural changes.

The alternative – carrying on with poor communication, mutual frustration, and mediocre results – simply doesn’t work and doesn’t have to continue. What’s needed now is the willingness to actually do it, and to change the way organisations are set up so these tensions don’t exist in the first place.

This is entirely possible to achieve. Organisations that take these challenges seriously will invest in changing their structures and commit to a real partnership between security and business teams.

The question each organisation faces is simple: will we keep treating this as a problem with people, or will we recognise it for what it really is – a problem with systems?

The answer will determine whether you keep having the same frustrating meetings, or whether you finally break the cycle.